Patching Windows Server 2016

by Mitchell Grande

The patching strategy for Windows Server 2016 has changed fairly significantly since 2012 R2, and understanding these changes is crucial to managing this operating system effectively. Here, we'll review the new cycle of patch releases and how to make sure your servers stay up to date.

Prior Versions of Windows

To understand the changes in Server 2016, it helps to know how patches are being released for previous versions of Windows. Since October 2016, Windows Server 2008 R2, 2012, and 2012 R2 have been on a monthly rollup patching cycle. Each month, three updates are released: a monthly quality rollup, a security-only update, and a preview of monthly rollup. The monthly quality rollup and preview of monthly rollup contain both security and non-security fixes, while the security-only update contains just security updates. Additionally, the security only updates are not a rollup that includes fixes from the prior updates. Every monthly security-only update must be installed to stay current, whereas only the latest monthly quality rollup is required to get updated all the way.

Changes in Server 2016

In Windows Server 2016, the 3 update types have been collapsed into a single monthly cumulative update (often shortened as a CU). This CU contains all security and non-security fixes up to that point. To get any server patched to the latest level, only the most recent CU needs to be installed.

There are typically two update releases each month for Windows Server 2016. On the second Tuesday of each month, aka Patch Tuesday, a CU is released that contains all security and non-security updates available up to that point. Later in the month, another CU is released that contains only non-security updates. This second CU is often called the Quality or Preview update as the non-security fixes it contains will make their way to the Path Tuesday cumulative update the following month.

By releasing the quality CU separately, organizations can install the primary CU released on Patch Tuesday to the general population, while deploying the quality update released later in the month to a pilot group of devices. If issues are found during the deployment to the pilot group, the deployment of the following Patch Tuesday update can be paused until any problems are resolved.

Overall, these changes eliminate the possibility of installing just security-only updates. Some organizations have taken that approach with previous versions of Windows Server, but that is no longer an option. The only way to receive security updates is to install the full cumulative updates as they're released. This may be a worrying change for some, but it has some significant advantages. For one, it ensures that important non-security fixes are applied uniformly. Since bug fixes were previously delivered in separate non-security updates, critical bugs could go unpatched causing issues and downtime that could have been avoided. Additionally, only releasing cumulative updates drastically reduces the number of variations of update configurations in the field. This should make testing and deployment easier for both application developers and system administrators.

Additional Products

Just like in previous versions of Windows Server, updates for some additional products are included separately through Windows Update. For example, security updates for SQL Server, definition updates for Windows Defender, and the Windows Malicious Software Removal Tool are offered through the standard update channels. However, these products and their patches are not part of the cumulative update that is released for the server operating system itself.

The only exception to this is the .NET framework. In Server 2016, .NET framework updates are provided as part of the operating system's monthly cumulative update. Therefore, installing the CUs released for Windows Server 2016 will update any installed versions of .NET framework as well.

Other Notes

As part of the new servicing model, there's a single, consolidated view of all updates available for Windows Server 2016 at the Windows 10 and Windows Server 2016 Update History page. This makes it easy to see the history of all patches for the OS. Similar pages are also available for previous versions of Windows.

Since all updates are now cumulative, it's easy to know the exact patch level of the server. By opening the new Settings menu and going to System > About, you'll find the build number of the operating system. Comparing that build number to the update history makes it easy to see which CU is installed on the server.

Windows Server 2019

The above information is generally applicable to Windows Server 2019 as well. The only major difference is that .NET framework updates are being broken back out into their own CUs separate from the operating system updates. More information on that is available here.